[gnutls-help] certtool - key encipherment (X.509v3 extension)

[Tobias ---]

2015-12-15 11:55 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:

> On Mon, Dec 14, 2015 at 10:31 AM, Tobias --- <tobbe.se at gmail.com> wrote:
> > 2015-12-14 9:43 GMT+01:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> >>
> >> On Sun, Dec 13, 2015 at 9:34 PM, Tobias --- <tobbe.se at gmail.com> wrote:
> >> > Hello!
> >> >
> >> > I'm trying to create a certificate that contains the necessary options
> >> > to
> >> > let libvirtd service work to as intended with remote control over TLS.
> >> >
> >> > I have created my own CA using certtool and the problem that I'm
> having
> >> > is
> >> > with the server certificate.
> >> > The template that I'm using when I create the CSR is as follows:
> >> > organization = "Local libvirtd"
> >> > unit = "libvirtd server"
> >> > cn = "oink"
> >> > country = "SE"
> >> > state = "Sweden"
> >> > expiration_days = 1095
> >> > tls_www_server
> >> > signing_key
> >> > encryption_key
> >> > I've also tried to make certtool honour the extensions which it does
> to
> >> > a
> >> > certain degree. The "encryption_key" is not honored even if I try to
> >> > enforce
> >> > it using the "honour_crq_extensions" option as well as using the above
> >> > template when I sign the CSR with the CA. The resulting PEM-encoded
> >> > certificate generates the following error during startup of libvirtd:
>
> Note that the option is honor_crq_extensions.
>
> > The reason that I'm creating a CSR and then a CRT is because I'm going to
> > create multilple certificates. I need to create certificates for my
> client
> > to so I want to do it the same way for both server and client. I am aware
> > that I can create the certificate in one go. The commands that I use are
> as
> > follow:
> > certtool --generate-request --load-privkey serverkey.pem --template
> > server.info --outfile servercsr.pem --hash=sha512
> > # The template "server.info" is what I pasted in the first post.
> >
> > certtool --generate-certificate --load-ca-certificate cacert.pem
> > --load-ca-privkey cakey.pem --template server.info --load-request
> > servercsr.pem --outfile servercert.pem --hash=sha512
> > # If I give it the template here then I don't get a bunch of questions.
> If I
> > don't then I get what I specified for the CSR but if I answer YES to the
> > question about TLS web server then I get that extension listed twice in
> the
> > certificate.
>
> Key purposes are not overwritten but appended so if it is already
> specified by the client and set by the server you'll see it twice.
>
> > If I omit the template and answer the questions then I don't
> > get any question regarding key encipherment and I still get the same
> result.
> > I get the same result regardless of what I do.
>
> I cannot however reproduce (with honor_crq_extensions) your issue. I
> see both Digital signature and Key encipherment in the generated
> certificate.
>
> regards,
> Nikos
>

I did write honor_crq_extensions. I just got confused when I read "honour"
somewhere else regarding this subject.

I've made additional attempts. The CSR doesn't contain the key encipherment
extension either. It only contains the other two extensions. I even copy
that extension straight out of the certtool manpage and it still won't
accept the extension. I wrote a separate template that contained
honor_crq_exntesions and encryption_key but it didn't produce the desired
result.
Does it matter that I use ECDSA?

Any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151215/6fba02be/attachment-0001.html>